A contract to provide credit and identity monitoring services to millions affected by this summer's hack of the Office of Personnel and Management was made in violation of federal acquisition rules, according to a ruling from OPM's inspector general, found in an Oct. 30 memo to acting OPM director Beth Cobert.
"We determined that the [Office of Procurement Operations] did not award the Winvale contract in compliance with the FAR and OPM's policies and procedures, which led to the OPO selecting the wrong contracting vehicle," the memo, from OPM IG Patrick McFarland's office, said.
"While we are unable to determine whether the issues we uncovered are significant enough to have impacted the award of the contract to Winvale Group LLC, and its subcontractor, CSIdentity, it is evident that significant deficiencies existed in the OPO over the contract award process."
Related:Read the memo
The contract was awarded in the wake of a cyber-breach where the information of 21.5 million people was exposed. OPM awarded a contract to Winvale, a cybersecurity contractor based in Washington, D.C., after the breach came to light.
Samuel Schumach, spokesman for OPM, said the agency has reviewed the problem and would address it once the OIG's office has filed a complete report, expected in December.
"We proactively identified an error with the Winvale contract, raised it with the OIG, and then took action to address this issue at no additional cost to the taxpayer. Once the IG report is published, we will provide a formal response," Schumach said, via email.
OPM and McFarland have clashed before on the issue of IT upgrades, with inspector general offering a terse letter on how the contracting was developing.
OPM is seeking to improve its cybersecurity following the hack, with 5 million letters currently sent to federal employees, retirees and dependents to inform them about the credit protections.
Nextgov.com first reported the OIG memo on Nov. 12.